Bug 25566

Summary: mediawiki new security issue fixed upstream in 1.31.4
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, sysadmin-bugs, tmb
Version: 7Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: mediawiki-1.31.3-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-10-14 17:38:11 CEST 
Upstream has announced version 1.31.4 on October 7:
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-October/000236.html

It fixes one security issue.

Updated packages uploaded for Mageia 7 and Cauldron.

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of
suppressed usernames via a User ID Lookup (CVE-2019-16738).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16738
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-October/000236.html
========================

Updated packages in core/updates_testing:
========================
mediawiki-1.31.4-1.mga7
mediawiki-mysql-1.31.4-1.mga7
mediawiki-pgsql-1.31.4-1.mga7
mediawiki-sqlite-1.31.4-1.mga7

from mediawiki-1.31.4-1.mga7.src.rpm
Comment 1 David Walser 2019-10-14 17:38:27 CEST 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Mediawiki

Keywords: (none) => has_procedure

Comment 2 Thomas Backlund 2019-10-14 17:41:53 CEST 
Looks like there is an issue with the security fix...
https://phabricator.wikimedia.org/source/mediawiki/browse/REL1_31/RELEASE-NOTES-1.31

* Followup T230402, PermissionManager doesn't exist until 1.33, so fix the
	  backported patches to use User::isAllowed() instead.

CC: (none) => tmb

Thomas Backlund 2019-10-14 18:24:45 CEST

Keywords: (none) => feedback

Comment 4 Thomas Backlund 2019-10-16 19:49:02 CEST 
1.31.5 got released to fix up the security fix, so its now building....

rpms list:

mediawiki-1.31.5-1.mga7
mediawiki-mysql-1.31.5-1.mga7
mediawiki-pgsql-1.31.5-1.mga7
mediawiki-sqlite-1.31.5-1.mga7

from mediawiki-1.31.5-1.mga7.src.rpm

Keywords: feedback => (none)
Summary: mediawiki new security issue fixed upstream in 1.31.4 => mediawiki new security issue fixed upstream in 1.31.5

Comment 5 David Walser 2019-10-16 20:38:14 CEST 
Thanks Thomas!

Advisory:
========================

Updated mediawiki packages fix security vulnerability:

In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of
suppressed usernames via a User ID Lookup (CVE-2019-16738).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16738
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-October/000236.html
https://lists.wikimedia.org/pipermail/mediawiki-announce/2019-October/000238.html

Summary: mediawiki new security issue fixed upstream in 1.31.5 => mediawiki new security issue fixed upstream in 1.31.4

Comment 6 Herman Viaene 2019-10-21 20:51:29 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Followed procedure as in https://wiki.mageia.org/en/QA_procedure:Mediawiki
using mysql and a robust password.
All works OK, wiki created.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 7 Thomas Andrews 2019-10-22 02:13:40 CEST 
Validating. Advisory in Comment 5.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-10-23 19:28:58 CEST

Keywords: (none) => advisory

Comment 8 Mageia Robot 2019-10-23 23:08:38 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0301.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED